malwarewikiaorg-20200223-history
RobbinHood
RobbinHood is a ransomware that targets companies and the computers on their network. It is aimed at English-speaking users. On February 6th, 2020, RobbinHood was found exploiting a vulnerable GIGABYTE driver to install a malicious and unsigned driver into Windows that is used to terminate antivirus and security software. Payload Transmission RobbinHood is distributed through hacked remote desktop services or other Trojans that provide access to the attackers. Infection When RobbinHood is executed, it disconnects all network shares from the computer using the following command: cmd.exe /c net use * /DELETE /Y Before continuing, the ransomware will attempt to read a public RSA encryption key from C:\Windows\Temp\pub.key. If this key is not present, it will display a message saying that it can't find the file specified and the ransomware will exit. If a key is present, it will continue preparing the victim's computer for encryption. Next it will stop 181 Windows services associated with antivirus, database, mail server, and other software that could keep files open and prevent their encryption. It does this by issuing the "sc.exe stop" command as shown below: cmd.exe /c sc.exe stop AVP /y It stops the following services: AVP, MMS, ARSM, SNAC, ekrn, KAVFS, RESvc, SamSs, W3Svc, WRSVC, bedbg, masvc, SDRSVC, TmCCSF, mfemms, mfevtp, sacsvr, DCAgent, ESHASRV, KAVFSGT, MySQL80, POP3Svc, SMTPSvc, Smcinst, SstpSvc, TrueKey, mfefire, EhttpSrv, IISAdmin, IMAP4Svc, McShield, MySQL57, kavfsslp, klnagent, macmnsvc, ntrtscan, tmlisten, wbengine, Antivirus, MSSQL$TPS, SQLWriter, ShMonitor, UI0Detect, sophossps, MSOLAP$TPS, MSSQL$PROD, SAVService, SQLBrowser, SmcService, swi_filter, swi_update, AcrSch2Svc, EsgShKernel, MBAMService, MSSQLSERVER, MsDtsServer, SntpService, VeeamNFSSvc, swi_service, AcronisAgent, FA_Scheduler, MSExchangeES, MSExchangeIS, MSExchangeSA, MSSQL$ECWDB2, MSSQL$SOPHOS, MSSQL$TPSAMA, PDVFSService, ReportServer, SQLAgent$TPS, SQLTELEMETRY, VeeamRESTSvc, MSExchangeMTA, MSExchangeSRS, MSOLAP$TPSAMA, McTaskManager, SQLAgent$CXDB, SQLAgent$PROD, VeeamCloudSvc, VeeamMountSvc, SQL Backups, mozyprobackup, msftesql$PROD, swi_update_64, EraserSvc11710, MSExchangeMGMT, MSSQL$BKUPEXEC, MSSQL$SQL_2008, MsDtsServer100, MsDtsServer110, SQLSERVERAGENT, VeeamBackupSvc, VeeamBrokerSvc, VeeamDeploySvc, Sophos Agent, svcGenericHost, EPUpdateService, MBEndpointAgent, MSOLAP$SQL_2008, MSSQLFDLauncher, McAfeeFramework, SAVAdminService, SQLAgent$ECWDB2, SQLAgent$SOPHOS, SQLAgent$TPSAMA, VeeamCatalogSvc, MSSQL$SHAREPOINT, MSSQL$SQLEXPRESS, MSSQL$SYSTEM_BGC, NetMsmqActivator, ReportServer$TPS, SepMasterService, TrueKeyScheduler, EPSecurityService, MSOLAP$SYSTEM_BGC, MSSQL$PRACTICEMGT, SQLAgent$BKUPEXEC, SQLAgent$SQL_2008, SQLSafeOLRService, VeeamTransportSvc, Zoolz 2 Service, MSSQL$PRACTTICEBGC, MSSQL$VEEAMSQL2012, Sophos MCS Agent, BackupExecJobEngine, MSSQL$SBSMONITORING, MSSQLFDLauncher$TPS, MSSQLServerADHelper, McAfeeEngineService, OracleClientCache80, ReportServer$TPSAMA, SQLAgent$SHAREPOINT, SQLAgent$SQLEXPRESS, SQLAgent$SYSTEM_BGC, SQLTELEMETRY$ECWDB2, Sophos MCS Client, BackupExecRPCService, MSSQL$VEEAMSQL2008R2, TrueKeyServiceHelper, BackupExecVSSProvider, MSSQL$PROFXENGAGEMENT, ReportServer$SQL_2008, SQLAgent$PRACTTICEBGC, SQLAgent$PRACTTICEMGT, SQLAgent$VEEAMSQL2012, BackupExecAgentBrowser, MSSQLFDLauncher$TPSAMA, MSSQLServerADHelper100, MSSQLServerOLAPService, SQLAgent$SBSMONITORING, VeeamDeploymentService, VeeamHvIntegrationSvc, Acronis VSS Provider, Sophos Clean Service, ReportServer$SYSTEM_BGC, SQLAgent$VEEAMSQL2008R2, Sophos Health Service, Sophos Message Router, MSSQLFDLauncher$SQL_2008, SQLAgent$PROFXENGAGEMENT, SQLsafe Backup Service, SQLsafe Filter Service, SQLAgent$CITRIX_METAFRAME, VeeamEnterpriseManagerSvc, BackupExecAgentAccelerator, MSSQLFDLauncher$SHAREPOINT, MSSQLFDLauncher$SYSTEM_BGC, Sophos Safestore Service, Symantec System Recovery, BackupExecManagementService, Enterprise Client Service, Sophos AutoUpdate Service, BackupExecDeviceMediaService, Sophos Web Control Service, MSSQLFDLauncher$SBSMONITORING, Sophos File Scanner Service, McAfeeFrameworkMcAfeeFramework, MSSQLFDLauncher$PROFXENGAGEMENT, Sophos Device Control Service, Sophos System Protection Service, Veeam Backup Catalog Data Service, During this preparation stage, RobbinHood will also clear Shadow Volume Copies, clear event logs, and disable the Windows automatic repair by executing the following commands: vssadmin.exe delete shadows /all /quiet WMIC shadowcopy delete wevtutil.exe cl Application wevtutil.exe cl Security wevtutil.exe cl System Bcdedit.exe /set {default} recoveryenabled no Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures It then begins to encrypt the victim's targeted files. When encrypting files, an AES key is created for each file. The ransomware will then encrypt the AES key and the original filename with the public RSA encryption key and append it to the encrypted file. Each encrypted file will then be renamed using the format Encrypted_randomstring.enc_robbinhood. When encrypting files, RobbinHood will skip any files found in or under the following directories: ProgramData Windows bootmgr Boot $WINDOWS.~BT Windows.old Temp tmp Program Files Program Files (x86) AppData $Recycle.bin System Volume Information While running, RobbinHood has the ability to send debug output to the console. This feature is currently disabled in distributed versions of the ransomware and does not have a runtime value to enable it. The ransomware will, though, create numerous log files under the C:\Windows\Temp folder. These files are called rf_, ro_l, and ro_s. It is not currently known what each log file is for other than the rf_s file, which is used to log the creation of ransom notes in each folder. After encryption has been completed, these log files will be deleted. Below is an example of some of the debug messages that would be displayed during this cleanup stage if console output was enabled. Furthermore, if console output is enabled in the ransomware, when done encrypting a computer it will display a final message stating "Enjoy buddy :)))". While encrypting the computer it will also create four different ransom note named _Decrypt_Files.html, _Decryption_ReadMe.html, _Help_Help_Help.html, and _Help_Important.html. The ransom note says the following: What happened to your files? All your files are encrypted with RSA-4096, Read more on https://en.wikipedia.org/wiki/RSA_(cryptosystem) RSA is an algorithm used by modern computers to encrypt and decrypt the data. RSA is an asymmetric cryptographic algorithm. Asymmetric means that there are two different keys. This is also called public key cryptography, because one of the keys can be given to anyone: 1 - We encrypted your files with our "Public key" 2 - You can decrypt, the encrypted files with specific "Private key" and your private key is in our hands ( It's not possible to recover your files without our private key ) Is it possible to get back your data? Yes, We have a decrypter with all your private keys. We have two options to get all your data back. Follow the instructions to get all your data back: OPTION 1 Step 1 : You must send us 3 Bitcoin(s) for each affected system Step 2 : Inform us in panel with hostname(s) of the system you want, wait for confirmation and get your decrypter OPTION 2 Step 1 : You must send us 13 Bitcoin(s) for all affected system Step 2 : Inform us in panel, wait for confirmation and get all your decrypters Our Bitcoin address is: xxx BE CAREFUL, THE COST OF YOUR PAYMENT INCREASES $10,000 EACH DAY AFTER THE FOURTH DAY Access to the panel ( Contact us ) The panel address: http://xbt4titax4pzza6w.onion/xx/ Alternative addresses https://xbt4titax4pzza6w.onion.pet/xx/ https://xbt4titax4pzza6w.onion.to/xx/ Access to the panel using Tor Browser If non of our links are accessible you can try tor browser to get in touch with us: Step 1: Download Tor Browser from here: https://www.torproject.org/download/download.html.en Step 2: Run Tor Browser and wait to connect Step 3: Visit our website at: panel address If you're having a problem with using Tor Browser, Ask Google: how to use tor browser Wants to make sure we have your decrypter? To make sure we have your decrypter you can upload at most 3 files (maximum size allowance is 10 MB in total) and get your data back as a demo. Where to buy Bitcoin? The easiest way is LocalBitcoins, but you can find more websites to buy bitcoin using Google Search: buy bitcoin online These ransom notes contains information as to what has happened to the victims files and a bitcoin address that they can use to make a ransom payment. The ransom payments are currently set at 3 bitcoins per affected system or 13 bitcoins for the entire network. Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Microsoft Windows Category:Win32 trojan Category:Trojan